A. It configures a hub router to automatically add spoke routers to the multicast replication list of the hub B. It enables a GRE tunnel to operate without the IPsec peer or crypto ACLs. C. it enables a GRE tunnel to dynamically update the routing tables on the devices at each end of the tunnel D. It configures a hub router to reflect the routes it learns from a spoke back to other spokes through the same interface

Answer: A

QUESTION 352 Which statement about VRF-aware GDOI group members is true?

A. IPsec is used only to secure data traffic. B. The GM cannot route control traffic through the same VRF as data traffic C. Multiple VRFs are used to separate control traffic and data traffic D. Registration traffic and rekey traffic must operate on different VRFs

Answer: C

QUESTION 353 Refer to the exhibit. Which data format is used in this script?

A. API B. JavaScript C. JSON D. YANG E. XML

Answer: E

QUESTION 354 Which two statements about Cisco URL Filtering on Cisco IOS Software are true? (Choose two )

A. It supports Websense and N2H2 filtering at the same time. B. It supports local URL lists and third-party URL filtering servers, C. By default, it uses ports 80 and 22. D. It supports HTTP and HTTPS traffic. E. By default, it allows all URLs when the connection to the filtering server is down. F. It requires minimal CPU time

Answer: BD

QUESTION 355 Which two options are benefits of the Cisco ASA transparent firewall mode? (Choose two )

A. It can establish routing adjacencies. B. It can perform dynamic routing. C. It can be added to an existing network without significant reconfiguration D. It supports extended ACLs to allow Layer 3 traffic to pass from higher to lower security interfaces E. It provides SSL VPN support.

A. It monitors normal traffic flow and drops burst traffic above the normal rate for a single host B. It matches traffic; from individual hosts against the specific network characteristics of known attack types C. It sets a specific intrusion detection mechanism and applies the appropriate ACL when matching traffic is detected D. It monitors normal traffic flow and aggressively drops sustained abnormally high traffic streams from multiple hosts

Answer: D

QUESTION 357 Refer to the exhibit. What are two effects of the given configuration? (Choose two)

A. TCP connections will be completed only to TCP ports from 1 to 1024 B. FTP clients will be able to determine the server’s system type C. The client must always send the PASV reply D. The connection will remain open if the size of the STOR command is greater than a fixed constant E. The connection will remain open if the PASV reply command includes 5 commas

Answer: BE

QUESTION 358 Which three statements about Cisco AnyConnect SSL VPN with the ASA are true? (Choose three.)

A. DTLS can fall back to TLS without enabling dead peer detection. B. By default, the VPN connection connects with DTLS. C. Real-time application performance improves if DTLS is implemented. D. Cisco AnyConnect connections use IKEv2 by default when it is configured as the primary protocol on the client E. By default, the ASA uses the Cisco AnyConnect Essentials license. F. The ASA will verify the remote HTTPS certificate

Answer: CDE

QUESTION 359 Which two statements about the Cisco AnyConnect VPN Client are true? (Choose two.)

A. To improve security, keepalives are disabled by default. B. It can be configured to download automatically without prompting the user C. It can use an SSL tunnel and a DTLS tunnel simultaneously D. By default, DTLS connections can fall back to TLS. E. It enables users to manage their own profiles.

Answer: BC

QUESTION 360 What are the two different modes in which Private AMP cloud can be deployed? (Choose two)

QUESTION 361 Refer to the exhibit. What are two functionalities of this configuration (Choose two.)

A. Traffic will not be able to pass on gigabitEthernet 0/1 B. The ingress command is used for an IDS to send a reset on vlan 3 only C. The source interface should always be a VLAN D. The encapsulation command is used to do deep scan on dot1q encapsulated traffic E. Traffic will only be sent to gigabitEthernet 0/20

Answer: BE

QUESTION 362 You are considering using RSPAN to capture traffic between several switches. Which two configuration aspects do you need to consider? (Choose two.)

A. The RSPAN VLAN need to be blocked on all trunk interfaces leading to the destination RSPAN switch B. Not all switches need to support RSPAN for it to work C. The RSPAN VLAN need to be allow on all trunk interfaces leading to the destination RSPAN switch D. All distribution switches need to support RSPAN E. All switches need to be running the same IOS version

Answer: CD

QUESTION 363 Which two statements about the TTL value in an IPv4 header are true? (Choose two )

A. It is a 4-bit value. B. It can be used for traceroute operations. C. When it reaches 0, the router sends an ICMP Type 11 message to the originator. D. Its maximum value is 128. E. It is a 16-bit value.

Answer: BC

QUESTION 364 Which three ESMTP extensions are supported by the Cisco ASA (Choose three.)

A. NOOP B. PIPELINING C. SAML D. 8BITMIME E. STARTTLS F. ATRN

Answer: ACE Explanation: http://www.cisco.com/c/en/us/about/security-center/intelligence/asa-esmtp-starttls.htmlESMTP application inspection adds support for extended SMTP commands, including AUTH, EHLO, ETRN, HELP, SAML, SEND, SOML, STARTTLS, and VRFY. Along with the support for seven RFC 821 commands (DATA, HELO, MAIL, NOOP, QUIT, RCPT, and RSET), the ASA supports a total of 15 SMTP commands. Other extended SMTP commands, such as ATRN, ONEX, VERB, and CHUNKING, and private extensions are not supported.

QUESTION 365 Refer to the exhibit. For which type of user is this downloadable ACL appropriate?

QUESTION 366 Refer to the exhibit Which effect of this configuration is true?

A. If the RADIUS server is unreachable, SSH users cannot authenticate. B. All commands are validated by the RADIUS server before the device executes them. C. Only SSH users are authenticated against the RADIUS server. D. Users must be in the RADIUS server to access the serial console E. Users accessing the device via SSH and those accessing enable mode are authenticated against the RADIUS server

Answer: E

QUESTION 367 Refer to the exhibit Which two effects of this configuration are true? (Choose two)

A. If the TACACS+ server is unreachable, the switch places hosts on critical ports in VLAN 50 B. If the authentication priority is changed, the order in which authentication is performed also changes. C. If multiple hosts have authenticated to the same port, each can be in their own assigned VLAN D. The port attempts 802.1x authentication first, and then falls back to MAC authentication bypass E. The device allows multiple authenticated sessions for a single MAC address in the voice domain. F. The switch periodically sends an EAP-ldentity-Request to the endpoint supplicant

QUESTION 372 Which two statements about SPAN sessions are true? (Choose two.)

A. Local SPAN and RSPAN can be mixed in the same session. B. They can monitor sent and received packets in the same session C. Source ports and source VLANs can be mixed in the same session D. They can be configured on ports in the disabled state before enabling the port E. A single switch stack can support up to 32 source and RSPAN destination sessions F. Multiple SPAN sessions can use the same destination port.

Answer: BD

QUESTION 373 When TCP Intercept is enabled in its default mode, how does it react to a SYN request?

A. It monitors the sequence of SYN, SYN-ACK, and ACK messages until the connection is fully established. B. It drops the connection. C. It monitors the attempted connection and drops it if it fails to establish within 30 seconds D. It allows the connection without inspection E. It intercepts the SYN before it reaches the server and responds with a SYN-ACK

Now we are one step ahead in providing updated real exam dumps for 400-251. We provide 100% 400-251 exam passing guarantee as we will provide you same questions of 400-251 exam with their answers. Our Cisco 400-251 new questions are verified by experts.